Re: Should I upgrade from 2.3.X?
Michael Wang wrote: Wietse Venema wrote: Michael Wang: [...snip...] Is 2.3 end-of-life coming any time soon? Updates for Postfix 2.2 stopped last year. So that sounds like 2.3 patches may end this year. Assuming that, I have (very) roughly 6 months + some unknown amount of time past that if or when a security issue/some other critical problem is discovered in 2.3 to upgrade to something newer. The ubuntu repos should supply security patches as applicable - but it should also be fairly easy to just do an in-place upgrade to 8.04 LTS which would get you postfix 2.5.5 among other things. Joe
Re: Proxying a policy service
Jan P. Kessler wrote: hapolicy (http://postfwd.org/DEVEL/tools/hapolicy-0.99.1) was developed to be small (~200 lines perl), simple and reliable. therefore it uses only basic perl modules and relies on postfix spawn. we run it since more than 6 months without problems to have a shared greylisting service across all of our relays without having to maintain a central database cluster. see the docs (http://postfwd.org/DEVEL/tools/hapolicy-0.99.1.html) for an example of such a configuration. Thanks for the real world reference - hapolicy seems indeed to be simple and rugged. Joe
Re: Proxying a policy service
Geert Hendrickx wrote: What drawbacks did you experience? We run a local policyd instance on each postfix server too, all connecting to a central (not replicated) MySQL. Policyd's behaviour when MySQL becomes unavailable is configurable, it can either tempfail (4xx) all incoming e-mail or dunno it. Yes, that is the benefit of doing it that way. But we experienced problems with recurring corruption of the isam tables when the network connections to the db server were interrupted. Apparently myisam tables don't deal well with interrupted connections, from what I found on google. At any rate, once we moved policyd to the same host as the mysql database, the corruption issue disappeared permanently, but we have the different issue of smtp transactions failing whenever there are connectivity glitches. I'm going to try out hapolicy first, since it's quite a bit quicker and cheaper to set up than full blown mysql replication. Joe
Re: Postfix-2.6.0 RPM
Roderick A. Anderson wrote: Sorry to hear that but in the mean time you can grab .src.rpm for a prior release, the tarball for the current release and modify the .spec file to reflect this. I've been doing this for our smtp servers for some time. The suse factory postfix srpm compiles nicely on SLES and is usually fairly current, but if need be, as mentioned above, it's not too difficult to drop in a newer tarball from postfix.org and tweak the spec file before rebuilding. Joe
Re: Proxying a policy service
Geert Hendrickx wrote: On Thu, May 14, 2009 at 10:15:07AM -0700, J Sloan wrote: Yes, that is the benefit of doing it that way. But we experienced problems with recurring corruption of the isam tables when the network connections to the db server were interrupted. Apparently myisam tables don't deal well with interrupted connections, from what I found on google. FWIW, policyd v2 uses innodb. That is true - however, policyd v1 is a very efficient compiled c program which runs for months with no hiccups or memory leaks, and we're understandably a bit hesitant to move to a perl script. Joe
Re: Proxying a policy service
Adrian Overbury wrote: Has anyone ever written a proxy server for policy services? I have a policy server (grossd, one of the best greylisting engines I've ever used) that, if it goes down, causes my Postfix servers to temp fail everything with 'Server configuration problem'. This is a real problem for me. I don't know specifically of a proxy offering that functionality, but I too would find it useful. We are running policyd v 1.82 on a mysql server, which is used by 4 smtp gateways in 2 data centers. If ever there are wan issues and the policyd server is unreachable, smtp connections to postfix simply fail during this time. A proxy which could simply say Dunno when the policy server is unreachable would be very useful indeed. If you do come across such a beast, do drop us a line! Joe
Re: Proxying a policy service
Wietse Venema wrote: J Sloan: Adrian Overbury wrote: Has anyone ever written a proxy server for policy services? I have a policy server (grossd, one of the best greylisting engines I've ever used) that, if it goes down, causes my Postfix servers to temp fail everything with 'Server configuration problem'. This is a real problem for me. I don't know specifically of a proxy offering that functionality, but I too would find it useful. We are running policyd v 1.82 on a mysql server, which is used by 4 smtp gateways in 2 data centers. If ever there are wan issues and the policyd server is unreachable, smtp Instead of sending MySQL queries over a WAN connection, have you considered using a local MySQL replica instead? When the WAN hiccups, the replica keeps answering to the local MTAs. That is another approach, and certainly worthy of consideration. At one time we were running a local copy of policyd on each postfix server, but that has it's drawbacks as well. Each solution has its costs - a policyd proxy would be the cheapest IMHO. Joe
Re: Proxying a policy service
Sahil Tandon wrote: Google 'hapolicy synopsis' -- the author of postfwd wrote a perl script which acts as a load balancing policy service that can return dunno if the underlying services are unreachable. Obviously, if hapolicy itself malfunctions, you're back at square one. Looks interesting, I'll have to play with that - Joe
Re: Newbie configuration/installation question
Tashfeen Ekram wrote: I have installed Postfix on Ubuntu to use to only send emails for my rails application. My rails application is not able to connect to it. Could this be because sendmail is listeneing at port 20? also, what configuration would suit me best if I only want to send emails ant not receive. This is onyl for testing purposes on my own laptop. Just to eliminate a lot of guesswork: when you say you installed postfix did you do something like apt-get install postfix or click on postfix to install via synaptic, or did you download a tarball from the internet and build it yourself? How is rails configured to send the mail - with the sendmail command, or via an smtp connection to the local host? Joe
Re: my mailserver has been blacklisted
Charles Marcus wrote: On 3/26/2009, Jim Wright (j...@wrightthisway.com) wrote: Two options. 1, Eliminate windows users from your network. Please... such comments are worse than useless... It may not be what you want to hear, especially if you're heavily invested in microsoft software, but it is nonetheless a choice which has been implemented with great effectiveness by a number of organizations. Follow-ups to off-topic list or PM - Joe
Re: Performance tuning
For what it's worth, we've found ext3 to be far too slow for our needs. The best setup we've found is reiserfs, mounted with noatime and notail options - Joe Brandon Hilkert wrote: - Original Message - From: Ralf Hildebrandt ralf.hildebra...@charite.de To: postfix-users@postfix.org Sent: Friday, March 20, 2009 6:52 AM Subject: Re: Performance tuning * Brandon Hilkert bhilk...@vt.edu: We send out a pretty volume of emails right now using a combination of SQL and IIS SMTP. We get rates now of about 5,000/min. We're looking to not only improve the rates, but incorporate DKIM/Domainkey signing into the process. The choice has been made to go with postfix along with a queue directory on an XFS file system. You can check if the disk I/O is the bottleneck by simply putting the queue fs in a RAM disk! Sorry if this is a stupid question, but how do I go about this. I tried: mkdir /ram mount -t ramfs none /ram and when I send a mail, postfix says there's not enough space in the queue. Should I be doing it a different way? I also put the queue directory back on an ext3 partition and the rates went up by about a factor of two. Also, by default the syslog messages were already set with -/var/log/mail.log. I disabled mail logging all together and found no change in rates. My disk is writing about 3 MB/s which should be well within it's range. I would hope even larger, but I would like to work out the ramfs and test for sure. I'm using postfix as a relay, and having it sign the outgoing emails with DKIM. That process was about twice as slow as without it. Without DKIM, I'm getting a rate of 700/min. Signing takes time! htop will tell you IO rates and CPU usage... -- Ralf Hildebrandt Postfix - Einrichtung, Betrieb und Wartung Tel. +49 (0)30-450 570-155 http://www.computerbeschimpfung.de Windows 95 /n./ 32 bit extensions and a graphical shell for a 16 bit patch to an 8 bit operating system originally coded for a 4 bit microprocessor, written by a 2 bit company that can't stand 1 bit of competition.
Re: weird postfix TLS behaviour (solved)
Victor Duchovni wrote: The policy table lookup key does not match the destination nexthop, or That's exactly the problem. I think you should be able to figure this out, even without reading the below, but if you are in a hurry try the documentation: http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps http://www.postfix.org/TLS_README.html#client_tls_policy Ah so - since there was a transport entry for that domain, I had to include even the brackets surrounding the transport entry, when adding it to tls_policy_maps. With the brackets added to the tls_policy_maps entry, the TLS session was set up as one would expect. Thanks for the clue. Joe
Re: gmail relay and certificates on Fedora 10
Sounds like fedora's missing a ca-bundle.crt... Joe sean darcy wrote: I followed the instructions on http://www.wormly.com/blog/2008/11/05/relay-gmail-google-smtp-postfix/ to create your own certificate to use with google. main.cf: .. ## this to use certificate I created: ## www.wormly.com/blog/2008/11/05/relay-gmail-google-smtp-postfix/ relayhost = [smtp.gmail.com]:587 smtp_connection_cache_destinations = smtp.gmail.com relay_destination_concurrency_limit = 1 default_destination_concurrency_limit = 5 smtp_sasl_auth_enable=yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_use_tls = yes smtp_sasl_security_options = noanonymous smtp_sasl_tls_security_options = noanonymous smtp_tls_note_starttls_offer = yes tls_random_source = dev:/dev/urandom smtp_tls_scert_verifydepth = 5 smtp_tls_key_file=/etc/postfix/postfixclient.key smtp_tls_cert_file=/etc/postfix/postfixclient.pem smtp_tls_enforce_peername = no smtpd_tls_req_ccert =no smtpd_tls_ask_ccert = yes soft_bounce = yes I get this error: Feb 4 17:01:52 asterisk postfix/smtp[17447]: certificate verification failed fo r smtp.gmail.com[74.125.47.111]:587: untrusted issuer /C=ZA/ST=Western Cape/L=Ca pe Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Prem ium Server CA/emailaddress=premium-ser...@thawte.com The error message is weird since it refers to thawte.com. /etc/postfix/postfixclient.pem: Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: C=us, ST=new york, O=n/a, OU=section, CN=seandarcy/emailaddress=seanda...@gmail.com Validity Not Before: Feb 4 21:40:25 2009 GMT Not After : Feb 4 21:40:25 2010 GMT Subject: C=us, ST=new york, O=n/a, OU=section, CN=seandarcy/emailaddress=seanda...@gmail.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): ... So I should be the issuer. Or is referring to the issuer of its certificate? In any event, anyone else have this working? sean
Re: Properly Specifying RBL in main.cf
Rich Shepard wrote: Ah, so! That explains it. I run Dan Bernstein's dnscache here, but use my ISP's DNS servers otherwise. So, now I need to consider whether to remove the spamhaus line from main.cf or set up and maintain my own dns server. I find that having a local unix-based dns server is often orders of magnitude faster than relying on an upstream isp for dns resolution. Joe
Re: Properly Specifying RBL in main.cf
Rich Shepard wrote: On Thu, 15 Jan 2009, J Sloan wrote: I find that having a local unix-based dns server is often orders of magnitude faster than relying on an upstream isp for dns resolution. Joe, I don't know that the effort to set up and maintain djbdns is worth any speed increase. I've no basis for comparison. Dunno about djbdbs - last I checked it was rather long in the tooth - but using the standard bind9, out of the box, as shipped by linux vendors and used as a caching dns server is a very cheap and easy speedup. Joe
Re: Canonical Rewriting
Ville Walveranta wrote: Somewhat unrelated, but perhaps worth mentioning: For couple of years I've used RegexBuddy (http://www.regexbuddy.com) Weird, no linux version? oh well, useless to me. Joe
Re: Canonical Rewriting
Sturgis, Grant wrote: I know, way OT, but has to be said: You think a linux bigot would use such a thing? No need for name calling on this list. That sort of nonsense, if you've simply got to say it, should have been said via pm. Joe
Re: SuSE repository - old postfix ?
Alexander Grüner wrote: Open SUSE includes more recent posfix rpms (but in the factory not the repos): http://download.opensuse.org/factory/repo/oss/suse/x86_64/postfix-2.5.5-6.6.x86_64.rpm http://download.opensuse.org/factory/repo/oss/suse/i586/postfix-2.5.5-6.5.i586.rpm Obviously, there may be dependencies you need to meet. There are also SRC rpms available. Tracy, thanks for this hint. Are these only for openSuSE 11.1 ? I will need SuSE Linux Enterprise 10 SP2. I always grab the src rpms from suse factory, compile them on a SLES 9 server and push the compiled packages out to our SLES 9 based smtp gateways. It works quite well. That may not be supported, but in all the years we've had linux support, we've never, ever called for a postfix problem anyway, so that matters little. The alternative for us would be to run postfix-2.1.1 as shipped on SLES 9. Joe
Re: Stopping backscatter with before-queue
Chris Turan wrote: Ouch, but you're right. I am creating my own misery. It wasn't a problem before when I was unknown to the spammers. Its only been a problem for a few weeks and I haven't yet been put on any blacklists. Keep sending out backscatter spam, and you will most certainly end up on blacklists. Joe
Re: SOLVED: SMTP transaction interrupted
Wietse Venema wrote: Wietse Venema: I don't know if this is a problem with Windows TCP/IP, or if this is a problem with a firewall on the client side. Reportedly, some firewalls randomize TCP sequence numbers but don't update the sequence numbers in SACK fields. That would be a sure way to mess up TCP. Quoting from the Linux kernel mailing list, December 2007: The Cisco PIX had a bug with SACK handling (CSCse14419, fixed in 7.0(7), 7.1(2.34), 7.2(2.2), 8.0(0.141) but perhaps it has regressed). A simple trace either side of the firewall will show the inconsistency between the TCP sequence number (which gets randomised) and the Sack sequence number (which didn't). You could disable the TCP Sequence Number Randomisation feature and see if the fault reoccurs. To disable Selective Ack support: *BSD: sysctl -w net.inet.tcp.sack.enable=0 L*n*x: echo 0 /proc/sys/net/ipv4/tcp_sack That might still work, but doing a cat to /proc is deprecated now. The recommended method in linux is: sysctl -w net.ipv4.tcp_sack=0 Joe
Re: Finally blocking some spam
mouss wrote: Joey a écrit : One thing I didn't think of on this, is that the list from spamhaus will be the same I am already rejecting via RBL and while it is local, it would still not include all the IP's I am using from these other heavy spam countries. you can build your own reputation list. it's not easy, though. The best list I have found is http://www.okean.com/ which is only known spammers from those countries. I get 403 Forbidden Maybe they block France? I get the denied access as well, from US - This is not terribly useful IMHO. Joe
